Security Awareness Training Tips for Your Small Business

When it comes to data breaches and security awareness strategies, we often only hear about the big brand names and their multi-million dollar losses. But what about the small businesses that make up 99.9% of businesses in the United States? Are they also experiencing the same types of breaches? Are there ways to keep small businesses protected? Here is what you need to know:

Small Business Statistics ­­­

According to a Ponemon Institute report, small businesses accounted for 58% of data breaches in 2018. In the aftermath of those breaches, organizations spent an average of $1.43 million in damages or theft of IT assets.

Attackers seem to be using phishing emails as a direct line to the most vulnerable parts of organizations. In 2018, 92.4% of malware was delivered via email, specifically emails regarding invoices, email delivery failure notice, law enforcement messages, and scanned documents. The majority of phishing emails aim to trick users into opening attachments, like office files. Once the files are opened, malware is injected into the computer and potentially the network.

How to Keep Your Small Business Protected

Phishing attacks, weak passwords and mobile device vulnerability are some of the top reasons that SMB’s experience breaches. The following tips can help prevent your small business from falling victim to these types of attack methods:

Always think twice before clicking a link in an email. Phishing is the act of sending fake emails designed to look exactly like an actual message from something such as a bank, credit card company, or paid service that you use. The intent is to get you to click on a link that will redirect you to a scam website to collect your legitimate login and account details. Other times, the attack is an attachment in the email that looks legitimate but will actually infect your computer with malware. It’s often hard to detect a phishing scam — which is what makes them so effective — so you must always approach emails and links to other sites with skepticism, and make sure you know what to do if you click on a phishing link.

Be cautious when interacting with visitors in the office. Social engineers attempt to retrieve your personal or company information by launching an in-person attack. They will go as far as disguising themselves as a repair person, or even impersonate a uniformed worker. Although social engineers can be tricky, you can prevent an in-person attack by following the tips outlined in this social engineering training video.

Always double check phone numbers provided to you through an email. Vishing is the telephone equivalent of phishing. Vishers often offer fake prizes, products, or services. They then ask for your credit card number or other personal information to get you to pay for associated fees or more. Learn how to protect yourself from a vishing scam here.

Don’t leave documents with sensitive information lying on your desk. Always keep your workstation clear of anything that might be used by a malicious insider to steal confidential information. This includes paper files, flash drives, and whatever can be accessed on your mobile devices, computer, or found in the trash or recycling bins. Remember to logoff of or lock your computer when you’re away from your desk.

Always use a secure network when connecting to WiFi outside of the office. Using an unsecure WiFi network can allow hackers to access your personal or company information. To prevent network eavesdropping, use a VPN. And watch out for open networks that cyber criminals create a network option with a name very similar to the authentic option, with the hope that you won’t be paying attention and select it. Watch this video to learn the warning signs of this type of “Evil Twin” attack.

Create and maintain strong passwords. Passwords are the keys to our lives and allow system access to sensitive information and resources. Hackers and cyber criminals will do just about anything to acquire your password and will use it to gain access to your banking, personal email, work email, and even work websites. It’s important to know how to create a strong password in order to protect yourself and your organization from these threats.

Create a culture of security awareness throughout your organization. Help employees remember security awareness best practices by making helpful resources available to them in the office. Posters, screensavers, calendars, and infographics can be fun and easy ways to educate your workforce.

Make cybersecurity part of your organization’s response strategy. Many organizations have strategies for emergency situations like fire drills, theft, or natural disasters. It’s also important to have a strategy around keeping your organization cyber-secure. What are the most valuable assets to protect? How do you plan to protect those assets? How are you detecting breaches? How do you plan to recover from a cybersecurity breach?

Provide engaging security awareness training. Course content must be engaging to motivate your employees. Learners are unlikely to pay attention to content that is not relevant to the learner and “painful” to slog through. Furthermore, they’ll feel that their valuable time is being wasted.

Be an example to your employees. Your employees are not going to take any sort of security awareness precautions seriously if they don’t feel like leadership is doing the same. Consistent messaging from the very top and good role modelling from supervisors helps drive the importance of the program to your employees.